The Hardware Integrity Check feature is pivotal in safeguarding endpoint security.

It enforces hardware integrity by monitoring changes in hardware, thereby ensuring comprehensive protection.

This feature is configurable as part of the native policy and is enabled by default in the SEE web console, please take a look at this article, 240649 - Symantec Endpoint Encryption Web Dashboard and Reports

To use this functionality, go to your SEE Management Server, and navigate to the following:

Symantec Endpoint Encryption Web Console, then "POLICIES" (then create a policy or view an existing policy), then click on "Drive Encryption" and then "Preboot Configuration".

The following page will appear with the Hardware Integrity Check toggle at the top:

Once enabled in policy and when the SEE Drive Encryption Client 12.0.1 or above is deployed on an endpoint, the Hardware Integrity Check option calculates and stores pertinent information based on specific hardware parameters that are applicable only to that endpoint. This ensures that the disk is exclusively associated with its dedicated endpoint.

Hardware Integrity Check Recovery Options

Help Desk Recovery: By default, this option redirects the user to the Help Desk Recovery screen.

At the Help Desk Recovery screen, the user can contact the help desk administrator to generate a recovery key for the new endpoint.

After entering the recovery key and once the system fully boots into Windows, the SEE client regenerates hardware integrity information based on the new hardware changes. Therefore, during subsequent user authentication, the recovery screen will not be presented again unless an additional hardware change is detected.

Client Administrator: Alternatively, the user can opt for the Client Administrator option, redirecting them to the Client Administrator screen.

Any of the registered SEE client administrators can then authenticate at preboot.

Enhanced Security Measures:

If the disk is removed from an endpoint and connected to a new endpoint, the Hardware Integrity Check at the new endpoint detects the discrepancy in parameter values. The user is then presented with the recovery mechanism that was chosen in the native policy.

Therefore, the Hardware Integrity Check fails, and the user is presented with the recovery mechanism that was chosen in the native policy.

Configuration Notes:

For users to be able to use the "Help Desk Recovery" option, ensure that the native policy has this option that is configured under the "Recovery Methods" section.

Similarly, for users to be able to use the "Client Administrator" option, at least one administrator must be configured under the "Client Administrators" section in the native policy. Based on these policy configurations, users can choose a recovery option during hardware integrity check.

Troubleshooting:

If there are changes to the machine's hardware, such as taking the hard drive out of the original machine and placing into a new chassis, the Hardware Integrity check system will detect this variation, and causing the system to boot into a "Recovery" screen.  This makes it impossible for anyone to enter their username/password to boot the system up and is a security feature to protect the system. 

When the system boots into the SEE Preboot recovery screen, this is normal. When this happens, using a helpdesk recovery key for SEE Drive Encryption can be used, or the Administrator password can be used, but not both. The default behavior is to issue a recovery key. 

Once the system is successfully booted, either with a recovery key or SEE Client Admin password, a new hardware baseline will be built by SEE and future reboots will not go into this recovery mode.

For further guidance and troubleshooting assistance, reach out to Symantec Encryption Support.
EPG-37318

240649 - Symantec Endpoint Encryption Web Dashboard and Reports

205088 - What's New with Symantec Endpoint Encryption version 12 (and 11.4 and 11.3.1)

Symantec Endpoint Encryption Policy Administrator Guide version 12.0.1